System, method and program product for automatically collecting state information for computer system intrusion analysis

US 20030191962A1
Filed: 03/29/2002
Published: 10/09/2003
Est. Priority Date: 03/29/2002
Status: Active Grant

First Claim

Patent Images

1. A system for automatically collecting state information for computer system intrusion analysis, comprising:

a platform identification system for automatically identifying a type of a platform loaded on a computer system; and

a state system for automatically collecting state information pertaining to a state of the computer system, wherein the state information is located with utilities of the identified platform.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and program product for automatically collecting state information for computer system intrusion analysis is provided. Specifically, the present invention is used to automatically collect state information in the event of computer network intrusion. When executed, the present invention will detect a type of a platform operating on a computer system (e.g., the server). Then, using the utilities of the platform, the desired state information will be located and/or collected. Thus, the present invention provides the uniformity of information collection that was not previously possible due to manual collection techniques and varying platform types.

Citations

23 Claims

1. A system for automatically collecting state information for computer system intrusion analysis, comprising:
- a platform identification system for automatically identifying a type of a platform loaded on a computer system; and
  
  a state system for automatically collecting state information pertaining to a state of the computer system, wherein the state information is located with utilities of the identified platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the computer system is a server.
  - 3. The system of claim 1, wherein the state system comprises:
    - a log file system for automatically collecting configured log files from the computer system;
      
      a process system for automatically collecting process information pertaining to processes running on the computer system;
      
      a network system for automatically collecting network information pertaining to a network in which the computer system is operating;
      
      a computer information system for automatically collecting computer information pertaining to the computer system; and
      
      a trust system for automatically collecting trust information pertaining to trusts extended by the computer system over the network.
  - 4. The system of claim 3, wherein the collected computer information pertains to:
    - intrusion indicators, set ULID files, set GID files, I-node values, configured file systems, users currently logged on the computer system, loaded kernel modules, user reboots, and password files.
  - 5. The system of claim 3, wherein the collected network information pertains to network interface configurations, network routing information, open network ports, and current services.
  - 6. The system of claim 3, wherein the collected process information pertains to scheduled current jobs, process lists, environment variables and open files.
  - 7. The system of claim 3, further comprising:
    - a general information system for automatically collecting general information from the computer system; and
      
      an output system for outputting the general information, computer state information, network state information, process information, trust information and log files.
  - 8. The system of claim 7, further comprising:
    - a security system for cryptographically securing the outputted general information, computer state information, network state information, process information, trust information and log files.

9. A method for automatically collecting state information for computer system intrusion analysis, comprising the steps of:
- identifying a type of a platform loaded on a computer system;
  
  locating state information pertaining to a state of the computer system using utilities of the identified platform; and
  
  automatically collecting the located state information from the computer system.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, further comprising:
    - automatically collecting configured log files from the computer system;
      
      automatically collecting process information pertaining to processes running on the computer system;
      
      automatically collecting computer information pertaining to the computer system;
      
      automatically collecting network information pertaining to a network in which the computer system is operating;
      
      automatically collecting trust information pertaining to trusts extended by the computer system over the network; and
      
      outputting the collected system state information, the network state information, the log files and the process information.
  - 11. The method of claim 10, wherein the collected computer information pertains to:
    - intrusion indicators, set UID files, set GID files, I-node values, configured file systems, users currently logged on the computer system, loaded kernel modules, user reboots, and password files.
  - 12. The method of claim 10, wherein the collected network information pertains to network interface configurations, network routing information, open network ports, and current services.
  - 13. The method of claim 10, wherein the collected process information pertains to scheduled current jobs, process lists, environment variables and open files.
  - 14. The method of claim 10, further comprising the step of securing the outputted computer state information, network state information, process information, trust information and log files.
  - 15. The method of claim 14, wherein the securing step comprises the step of cryptographically securing the outputted computer state information, network state information, process information, trust information and log files.

16. A program product stored on a recordable medium for automatically collecting state information for computer system intrusion analysis, which when executed comprises:
- program code for automatically identifying a type of a platform loaded on a computer system; and
  
  program code for automatically collecting state information pertaining to a state of the computer system, wherein the state information is located with utilities of the identified platform.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The program product of claim 16, wherein the computer system is a server.
  - 18. The program product of claim 16, further comprising:
    - program code for automatically collecting configured log files from the computer system;
      
      program code for automatically collecting process information pertaining to processes running on the computer system;
      
      program code for automatically collecting computer information pertaining to the computer system;
      
      program code for automatically collecting network information pertaining to a state of a network in which the computer system is operating; and
      
      program code for automatically collecting trust information pertaining to trusts extended by the computer system over the network.
  - 19. The program product of claim 18, wherein the collected computer information pertains to:
    - intrusion indicators, set UID files, set GID files, I-node values, configured file systems, users currently logged on the computer system, loaded kernel modules, user reboots, and password files.
  - 20. The program product of claim 18, wherein the collected network information pertains to network interface configurations, network routing information, open network ports, and current services.
  - 21. The program product of claim 18, wherein the collected process information pertains to scheduled current jobs, process lists, environment variables and open files.
  - 22. The program product of claim 18, further comprising:
    - program code for automatically collecting general information from the computer system; and
      
      program code for outputting the collected general information, system state information, the network state information, the log files and the process information.
  - 23. The program product of claim 22, further comprising program code for cryptographically securing the outputted general information, computer state information, network state information, process information, trust information and log files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Calvert, Christopher L.

Granted Patent

US 7,080,250 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/568 eliminating virus, restorin...

G06F 2221/2101 Auditing as a secondary aspect

System, method and program product for automatically collecting state information for computer system intrusion analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and program product for automatically collecting state information for computer system intrusion analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links